The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Network security incidents are composed of several events, steps or actions that an attacker may take to compromise a targeted network and extract valuable intellectual property or personal data, or perform malicious reconfiguration operations. These steps may include scanning of potential targets, initial infection, library download, or communication with a command and control server.
Traditionally, signature-based security devices, firewalls, or anti-viruses are deployed to detect such threats. However, signature-based algorithms simply compare a byte sequence that has been detected to stored byte-sequences corresponding to known threats, which may be in a database. Thus, if a new threat has not yet been analyzed and recorded into the database, the signature based algorithm may not identify the new threat. Furthermore, if a threat has the ability to change, the signature-based algorithms may again fail to identify the threat because a current signature of the threat may be different than a stored signature of the same threat that was recorded earlier. Thus, polymorphic malware, zero-day attacks by threats that are novel or previously unseen, or other types of advanced persistent network threats are usually not detected or blocked by signature-based security algorithms.